As a reaction to our test of the Smartfrog IP camera, the manufacturer contacted us to work on solutions for the flaws we were able to identify. Now that the product and application is revised, we take a second look and explain why it now deserves our “certified security” status. All critical security issues were fixed and thus Smartfrog is the first vendor ever to receive AV-TEST certification for an IP Camera.
The gravest problems we found, namely the possibility for unhindered Man-in-the-Middle-Attacks on user login, password changes and registration, were all connected to an insufficiently implemented use of the HTTPS protocol. The provided server certificate was not verified and therefore any certificate could be used to establish an encrypted communication to the application. This way a potential attacker was able to position himself between client and server, to read and/or manipulate sent contents without client or server noticing.
With the new app version (pre-release; > 2.5.3) Smartfrog aimed for fixing this problem and as our new tests suggest, they were successful. As one can see in the following image showing an excerpt from a Wireshark capture, connections compromised by an attacker are now rejected by the application and eavesdropping of sensitive data is no longer possible this way.
The necessary changes in the IP camera were made as well, so that all connections are now adequately secured. We also repeated all of the other previous tests to make sure that now new security issues were introduced. No serious flaws could be identified. The app is still not obfuscated, however this is not a security issue per se. It might make life easier for attackers though.
As a result, the Smartfrog Android application along with the camera can now be considered as adequately secured and therefore earns the full 3-star rating.
On top of that the Smartfrog camera is the first IP Camera ever receiving certification of AV-TEST as a secure Smart Home product.
Nice to see IP Camera manufactures taking the necessary actions to correct security problems on their products.
I hope that current and in the future manufactures stop putting out products without first having their products tested by security company specialized in their field, and correct all problems until they have the “all clear good to go” from the security company. That should be the minimum standard for all.
Pingback: AV-TEST awards manufacturers for Approved Smart Home Security – AV-TEST Internet of Things Security Testing Blog